The Patch-Velocity Gap: AI Discovery Is Outpacing OSS Patching

Your SBOM Tells You What's Vulnerable. It Doesn't Tell You How Long It Will Stay That Way. Imagine your team runs a dependency scan before a release. Two hundred warnings. You triage by CVSS score - fix the criticals, document the highs, accept the mediums. You ship. Six weeks later, a medium-severity advisory that was already disclosed before your release date gets exploited in production. The maintainer was a solo developer. He'd acknowledged the CVE in a GitHub issue. There was even a draft fix - it just hadn't shipped. Your scanner knew the package was vulnerable.